Enables compliance checks and resource monitoring for GitHub repositories to ensure adherence to security standards and internal policies.
Supports automated remediation by creating Jira tickets for non-compliant resources or security vulnerabilities identified during assessments.
Allows for the verification of compliance and security controls within Kubernetes clusters and associated resources.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@ComplianceCow MCP ServerShow me the compliance dashboard for PCI DSS 4.0"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
ComplianceCow MCP Servers
Table of Contents
Introduction
MCP (Model Context Protocol) servers are designed to process structured requests from AI agents, perform domain-specific operations, and return context-aware responses. The ComplianceCow MCP servers enable seamless integration with MCP-compatible hosts like Claude Desktop and Goose Desktop/CLI for secure, modular, and intelligent compliance automation.
Glossary
Keyword | Description | Example |
Control | A compliance or security control that needs to be implemented to ensure adherence to regulations, standards, and policies | Ensure MFA is enabled for all users |
Assessment | A collection of controls organized hierarchically, representing an industry standard or cybersecurity framework | PCI DSS 4.0 |
Assessment Run | The verification of controls in an assessment for a given time period, including evidence collection | - |
Check | A rule or verification for compliance or conformance | Check if MFA is enabled for all AWS users |
Resource Type | Category or class of resources | AWS EC2, AWS S3 |
Resource | Instance of a resource type for which checks are performed | Specific EC2 instances, GitHub repositories |
Asset | A group of resources of various types | AWS services, Kubernetes, GitHub |
Evidence | Data aggregated through checks against resources for a given control | CSV file with AWS users and their MFA status |
Action | Activity (automated or manual) to respond or remediate based on conditions | Create a JIRA ticket for non-compliant EC2 instance |
Rule | A reusable automation unit that executes tasks and generates evidence | AWS MFA Compliance Check Rule |
Workflow | An event-driven automation sequence with conditions and activities | Alert workflow on critical finding |
Architecture
The ComplianceCow MCP servers support the STDIO transport mechanism for seamless local integration with your MCP host. At the core is the Compliance Graph, which continuously ingests data such as assessment runs, evidence, and compliance status. The server actively pulls information from:
Vector stores for semantic search
Relational databases for structured data
Graph databases for relationship queries
File storage systems for evidence artifacts
MCP Servers
We have organized ComplianceCow’s MCP tools into 4 distinct servers.
Why multiple MCP servers? In the MCP ecosystem, using fewer tools per server yields better results and better performance. Each server can be enabled independently via the
MCP_TOOLS_TO_BE_INCLUDEDenvironment variable. Important: Enable only one server at a time in the MCP Host to avoid tool name conflicts. Some tools share the same name across servers but have different implementations based on the use case.
1. ComplianceCow-Rules
The Rules server enables creating, managing, and executing compliance rules. It provides a comprehensive toolkit for rule creation with guided input collection, task orchestration, and ComplianceCow integration.
Use Cases:
Create custom compliance rules with multiple tasks
Execute rules against cloud infrastructure
Publish rules to ComplianceCow and attach to controls
Generate rule documentation (design notes, README)
2. ComplianceCow-Insights
The Insights server provides comprehensive access to compliance data, dashboards, assessments, and evidence through the Compliance Graph. Ideal for querying and analyzing compliance posture.
Use Cases:
Query dashboard data for compliance overview
Explore assessments and their runs
Retrieve evidence and compliance status
Execute Cypher queries on the Compliance Graph
Perform actions on controls and evidence
3. ComplianceCow-Workflow
The Workflow server enables building and executing automated compliance workflows with event-driven triggers, conditions, and activities.
Use Cases:
Create automated compliance workflows
Define event triggers and conditions
Execute multi-step workflow sequences
Manage workflow states and transitions
4. ComplianceCow-Assistant
The Assistant server specializes in assessment configuration, control setup, and SQL-based evidence collection. It provides tools for configuring compliance assessments and managing control evidence.
Use Cases:
Create and configure assessments
Set up control configurations with context entities
Create SQL-based evidence collection
Manage control citations and documentation
Getting Started
Prerequisites
MCP Host: You need an MCP-compatible host:
Python: Version 3.11 or higher
uv Package Manager: Required to run the MCP server
Authentication
The ComplianceCow MCP servers use OAuth 2.0 with client_credentials grant type.
To obtain credentials:
Sign up at ComplianceCow (or your dedicated instance)
Click "Manage Client Credentials" in the top-right user profile menu
Fill out the form to obtain your Client ID and Client Secret
Installation
Clone the repository:
git clone https://github.com/ComplianceCow/cow-mcp.git cd cow-mcpCreate virtual environment and install dependencies:
uv venv .venv source .venv/bin/activate # On Windows: .venv\Scripts\activate uv pip install .Find your uv binary path (needed for configuration):
which uv # On macOS/Linux where uv # On Windows
Configuration
Environment Variables
Variable | Description | Required |
| ComplianceCow API host URL (Ex: https://partner.compliancecow.live) | Yes |
| Your Client ID (see Authentication section above) | Yes |
| Your Client Secret (see Authentication section above) | Yes |
MCP Host Setup
Claude Desktop
Configuration file location:
macOS:
~/Library/Application Support/Claude/claude_desktop_config.jsonWindows:
%APPDATA%\Claude\claude_desktop_config.json
For detailed setup instructions, see Claude Desktop MCP Setup.
Configuration template for all 4 servers:
Replace the following placeholders:
UV_BIN_PATH: Path to your uv binary (e.g.,/Users/username/.local/bin/uv). You can find this by runningwhich uv(macOS/Linux) orwhere uv(Windows).PATH_TO_COW_MCP_REPO: The absolute path to your cloned cow-mcp repository. After cloning and runningcd cow-mcp, usepwd(macOS/Linux) orcd(Windows) to get this path.YOUR_CCOW_HOST: https://partner.compliancecow.live (or <your_dedicated_instance_hosturl>)YOUR_CLIENT_ID: Your ComplianceCow Client ID (see Authentication)YOUR_CLIENT_SECRET: Your ComplianceCow Client Secret (see Authentication)
Goose Desktop/CLI
For detailed setup instructions, see Goose Extensions Documentation.
Configuration file location:
macOS/Linux:
~/.config/goose/config.yamlWindows:
%APPDATA%\goose\config.yaml
Configuration template for all 4 servers:
Replace the following placeholders:
UV_BIN_PATH: Path to your uv binary (e.g.,/Users/username/.local/bin/uv). You can find this by runningwhich uv(macOS/Linux) orwhere uv(Windows).PATH_TO_COW_MCP_REPO: The absolute path to your cloned cow-mcp repository. After cloning and runningcd cow-mcp, usepwd(macOS/Linux) orcd(Windows) to get this path.YOUR_CCOW_HOST: https://partner.compliancecow.live (or <your_dedicated_instance_hosturl>)YOUR_CLIENT_ID: Your ComplianceCow Client ID (see Authentication)YOUR_CLIENT_SECRET: Your ComplianceCow Client Secret (see Authentication)
Running Locally
To verify the MCP server is properly set up before configuring your MCP host:
If the server starts without errors, you're ready to configure your MCP host.
Tools Reference
Rules Server Tools
Tool | Description |
Retrieve available tasks for rule creation | |
Get detailed task information including inputs/outputs | |
Intelligent task suggestions based on requirements | |
List all available rules in the catalog | |
Suggest matching rules to avoid duplicates | |
Create a new rule with tasks and I/O mapping | |
Retrieve complete rule structure by name | |
Check rule completion level | |
Overview of required inputs before collection | |
Guidance for template-based inputs | |
Collect file/template inputs with validation | |
Confirm and process template input | |
Collect primitive parameter values | |
Confirm and store parameter values | |
Upload files with format validation | |
Verify all inputs before execution | |
Execute a specific task with collected inputs | |
Execute complete rule with credentials | |
Monitor live execution progress | |
Fetch output files from execution | |
Fetch rule from ComplianceCow by ID | |
Fetch rule from ComplianceCow by name | |
List published ComplianceCow rules | |
Publish rule to ComplianceCow | |
Retrieve available assessments | |
Fetch attachable controls from assessment | |
Verify control is attachable | |
Attach published rule to control | |
Get applications for specific tag | |
Get application details and credential types | |
Fetch all available applications | |
Prepare application configuration | |
Check application publication status | |
Publish applications for rule execution | |
Add unique identifier to task | |
Configure standard/extended output schema | |
Generate Jupyter notebook design notes | |
Save design notes | |
Fetch existing design notes | |
Generate comprehensive README | |
Save README | |
Update existing README | |
List integration plans/assets | |
List checks for an asset | |
Get control hierarchy for asset | |
Create asset with initial check | |
Add check to existing asset | |
Schedule automated asset execution | |
List schedules for an asset | |
Delete asset schedule | |
Suggest control citations | |
Attach citation to control | |
Verify control automation status | |
Create documentation note on control | |
List control notes | |
Update control note | |
Create support tickets | |
Check rule publication status | |
Read local file content | |
Read resource URI content | |
Create downloadable file URL |
Insights Server Tools
Tool | Description |
List all assessment categories | |
List assessments by category/name | |
Fetch recent assessment runs | |
Fetch runs with pagination | |
Get control details from run | |
Get leaf controls from run | |
Get controls by name | |
Get control metadata | |
Get evidence for controls | |
Fetch control information | |
Get evidence records with filtering | |
Get evidence schema | |
Fetch available control actions | |
Fetch assessment actions | |
Fetch evidence actions | |
Fetch general actions | |
Fetch automated controls | |
Execute action on control/evidence | |
List all assets | |
Get asset summary statistics | |
Get resource types with pagination | |
Get checks for resource type | |
Get resources with pagination | |
Get resources by check name | |
Get checks summary statistics | |
Get resources summary statistics | |
Get resources summary by check | |
Get resource types summary | |
Get available review periods | |
Get comprehensive dashboard data | |
Get framework controls | |
Get framework summary | |
Get common control details | |
Get top overdue controls | |
Get top non-compliant controls | |
Fetch graph node data and schema | |
Execute Cypher query on graph | |
Get help information | |
Read local file content | |
Read resource URI content | |
Create downloadable file URL |
Workflow Server Tools
Tool | Description |
List workflow event categories | |
List available trigger events | |
List available activity types | |
List function categories | |
List available functions | |
List available workflow tasks | |
List condition categories | |
List available conditions | |
List predefined variables | |
List available workflow rules | |
Create workflow from YAML | |
List all workflows | |
Get workflow by name | |
Fetch complete workflow details | |
Update workflow implementation | |
Update workflow description | |
Update workflow diagram | |
Fetch resource data for execution | |
Create custom trigger event | |
Trigger workflow execution | |
Fetch workflow rule by name | |
Fetch task README | |
Fetch rule README |
Assistant Server Tools
Tool | Description |
Create assessment from YAML | |
List all assessments | |
List control configurations | |
Create control configuration | |
Update control context entities | |
Attach citation to control | |
Suggest relevant citations | |
Mark control ready for execution | |
Create SQL-based evidence | |
List SQL evidence for control | |
Update SQL evidence | |
Validate SQL query syntax | |
Get sample evidence data | |
Fetch evidence source summary | |
Create control config note | |
List control config notes | |
Update control config note | |
Get entity hierarchy | |
Get available context tables | |
Fetch rule README |
FAQ
1. How do I sign up for ComplianceCow?
Visit ComplianceCow Signup to create an account using various sign-up options including Google, Microsoft, and OTP.
2. What value does ComplianceCow deliver?
ComplianceCow helps with automated security compliance evidence collection, analysis, and remediation challenges. It's a security GRC controls automation studio for custom controls and workflows. Learn more at compliancecow.com.
3. Why are there 4 separate servers?
MCP works best with fewer tools per server. Splitting into 4 servers (Rules, Insights, Workflow, Assistant) ensures optimal performance and allows you to enable only the tools you need for specific use cases.
4. What if some tools have the same name across servers?
Some tools share the same name but have different implementations. Enable only one server at a time to avoid conflicts. The tool behavior is determined by the MCP_TOOLS_TO_BE_INCLUDED env.
5. How do I update the MCP server?
Then restart your MCP host (Claude Desktop or Goose).
6. Where can I get help?
Create an issue on GitHub
Contact ComplianceCow support through the platform